https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35984 Bug ID: 35984 Summary: automated static code analysis should include security tests Change sponsored?: --- Product: Koha Version: unspecified Hardware: All OS: All Status: NEW Severity: normal Priority: P5 - low Component: Architecture, internals, and plumbing Assignee: koha-bugs@lists.koha-community.org Reporter: evelyn@bywatersolutions.com QA Contact: testopia@bugs.koha-community.org A few libraries have asked recently if, prior to production/during the development lifecycle, automated source code analysis tools are used to test for security flaws specifically. Typically these questions are in relation to processes like renewing cybersecurity insurance or initial discovery by a potential partner library's security/IT department. Perlcritic seems to be currently used, but as far as I can tell it appears the tests are for enforcing the coding standard. Using an automated tool to look for security flaws will be a beneficial addition to the project, so I'd like to at least start the discussion here. OWASP has an informational page for further reading: https://owasp.org/www-community/controls/Static_Code_Analysis -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.